Securing your share of cyberspace

Everyone needs to impose proactive measures to protect the Internet.

BOSTON - The federal government needs to set an example for industry and flex its $52-billion a year IT spending muscle to raise standards, so vendors build security into technology rather than rushing products to market. A concerted effort is needed from everyone who depends on the Internet, to take ownership, to look for and fix the vulnerability on individual networks. Otherwise, industry won't flourish and the economy and the nation will remain at risk.

That's what Richard Clarke, special advisor to the President for Cyberspace Security told attendees at the recent Next Generation Networks conference. While Clarke reiterated some previous themes on the public-private partnership outlined in the Bush administration's National Strategy for securing cyberspace, he pointed to our collective responsibility to put a light on vulnerabilities that are known, specifying nine areas that need to be addressed. 

"It's like the emperor's new clothes, we don't talk about it. IT will never reach its full promise until we address security. We need to do it in our job everyday," says Clarke. "Don't assume the level of threats-worms…etc., will be the level of future threats. As long as we have vulnerabilities, enemies will use these. Because the U.S. stands for equality, unity and justice, people will attack."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

BOSTON - The federal government needs to set an example for industry and flex its $52-billion a year IT spending muscle to raise standards, so vendors build security into technology rather than rushing products to market. A concerted effort is needed from everyone who depends on the Internet, to take ownership, to look for and fix the vulnerability on individual networks. Otherwise, industry won't flourish and the economy and the nation will remain at risk.

That's what Richard Clarke, special advisor to the President for Cyberspace Security told attendees at the recent Next Generation Networks conference. While Clarke reiterated some previous themes on the public-private partnership outlined in the Bush administration's National Strategy for securing cyberspace, he pointed to our collective responsibility to put a light on vulnerabilities that are known, specifying nine areas that need to be addressed. 

"It's like the emperor's new clothes, we don't talk about it. IT will never reach its full promise until we address security. We need to do it in our job everyday," says Clarke. "Don't assume the level of threats-worms…etc., will be the level of future threats. As long as we have vulnerabilities, enemies will use these. Because the U.S. stands for equality, unity and justice, people will attack."

With the U.S. economy as the engine for the world's economy, the Federal government also needs to raise awareness on a global level to establish international cooperation for setting a common standard of what is and is not legal so that violators can be prosecuted, he says.

But Clarke stresses that strong action needs to start on the home front. While the government will continue its role in funding IT security research, the Bush administration has made a strong commitment with the President asking for $4.5 Billion, a 64% increase in security funds this year for Federal IT security.

The government plans to set the pace by only buying hardware and software that is certified by the National Infrastructure Assurance Council standards for ensuring that security has been built in from the ground up.

But with the Internet being an interdependent network of government, finance, manufacturing, etc., information systems, every dependency is obligated to secure their own piece of cyberspace by addressing nine vulnerability areas: 

The first is that a vendor build-in and customers demand routers and switches that are designed with security in mind, such as routers with capability to authenticate. These devices are shipped with passwords that are widely known and most often never changed, shipped with vulnerabilities that get exploited, Clarke says.

The next three security areas that Clarke says need addressing are the DNS, IPv6 protocols and Border Gateway Protocol vulnerability in the address security space. "There are firewalls and Intrusion detection systems that are widely deployed and not working with IPv6."

Fifth on Clarke's focus list is to think about the physical security of networks where critical collocated resources are located, that we add diversity and redundancy to secure these resources.
 
The next vulnerability issue is in the move to increase speed on the backbone, that ISPs need to not just pass on packets, but have a responsibility to know what's in the packets. An ISP needs to take responsibility, instead of passing along denial-of-service packets, and charging us for them, says Clarke. "They are actually making money," and the government will help by funding this effort though using through Homeland Security research and development monies.